Brion Vibber | 1 Jun 01:25 2005
Picon

Re: [Wikipedia-l] server maintenance on June 1, 3 a.m. UTC

Jens Frank wrote:
> We'll create some new indexes that should improve site
> performance. To do this, we need to set the wikis to
> read only at 3 a.m. UTC (5a.m. Berlin/Paris, about
> 10 p.m. Chicago). The downtime will take about 2 hours.

While we're on this, that would be a good time to run the password hash
salting.

We'd originally held off on that because a migration to shared user
accounts could change user IDs (and thus the salt), breaking all
password hashes. However it looks like the type of shared account system
we'll end up with is going to be a central account + local accounts, and
a mass migration isn't necessary: people will 'upgrade' their accounts
and be able to punch in their password for confirmation at the time.

For that type of scheme the salt will not be an issue, so we've got no
excuse not to do it.

(For those who didn't notice, Slashdot ran a scaremongering "story"
today about a list of troll accounts Tim made almost a year ago by
comparing password hashes under the title "Wikipedia Leaks Some Users'
Passwords". Slashdot's fun, but it's not journalism; don't expect to
ever get an e-mail from a Slashdot editor asking for comment or
confirmation on facts... Anyway, at least it reminded us we haven't
finished the salted hash transition.)

-- brion vibber (brion  <at>  pobox.com)
(Continue reading)

Brion Vibber | 1 Jun 06:21 2005
Picon

Re: Re: [Wikipedia-l] server maintenance on June 1, 3 a.m. UTC

Brion Vibber wrote:
> Jens Frank wrote:
>> We'll create some new indexes that should improve site
>> performance. To do this, we need to set the wikis to
>> read only at 3 a.m. UTC (5a.m. Berlin/Paris, about
>> 10 p.m. Chicago). The downtime will take about 2 hours.
>
> While we're on this, that would be a good time to run the password hash
> salting.

Done.

The other indexes are still building, we'll be back online soon enough... :)

-- brion vibber (brion  <at>  pobox.com)
_______________________________________________
Wikitech-l mailing list
Wikitech-l <at> wikimedia.org
http://mail.wikipedia.org/mailman/listinfo/wikitech-l
Tels | 1 Jun 18:50 2005

Re: Re: [Wikipedia-l] server maintenance on June 1, 3 a.m. UTC


Moin,

On Wednesday 01 June 2005 06:21, Brion Vibber wrote:
> Brion Vibber wrote:
> > Jens Frank wrote:
> >> We'll create some new indexes that should improve site
> >> performance. To do this, we need to set the wikis to
> >> read only at 3 a.m. UTC (5a.m. Berlin/Paris, about
> >> 10 p.m. Chicago). The downtime will take about 2 hours.
> >
> > While we're on this, that would be a good time to run the password
> > hash salting.
>
> Done.
>
> The other indexes are still building, we'll be back online soon
> enough... :)

Arg, I was not fast enough. I just wanted to say that I am shocked that 
wikipedia didn't already salt the passwords. 

And in addition, I hope that now not only the passwords are salted, but 
actually include more measures against brute-forcing, like hashing the 
password 10000 times, or using something stronger than MD5.

But I fear it is again too late for adding that :/

Best wishes,

(Continue reading)

Timwi | 2 Jun 23:37 2005
Picon
Picon

Re: [Wikipedia-l] server maintenance on June 1, 3 a.m. UTC

Tels wrote:
> 
> And in addition, I hope that now not only the passwords are salted, but 
> actually include more measures against brute-forcing, like hashing the 
> password 10000 times, or using something stronger than MD5.

That doesn't make it any more resistant against brute-forcing.

Timwi

Gmane